Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-3778

Опубликовано: 07 мар. 2019
Источник: nvd
CVSS3: 6.5
CVSS2: 6.4
EPSS Средний

Описание

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRed

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
Версия от 2.0.0 (включая) до 2.0.17 (исключая)
cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
Версия от 2.1.0 (включая) до 2.1.4 (исключая)
cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
Версия от 2.2.0 (включая) до 2.2.4 (исключая)
cpe:2.3:a:pivotal_software:spring_security_oauth:*:*:*:*:*:*:*:*
Версия от 2.3.0 (включая) до 2.3.5 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:oracle:banking_corporate_lending:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending:14.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 94%
0.1533
Средний

6.5 Medium

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-601
CWE-601

Связанные уязвимости

redhat логотип

CVE-2019-3778

CVSS3: 5.3
redhat
почти 7 лет назад

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than Default...

github логотип

GHSA-77rv-6vfw-x4gc

CVSS3: 6.5
github
почти 7 лет назад

spring-security-oauth and spring-security-oauth2 Open Redirect vulnerability

fstec логотип

BDU:2021-00718

CVSS3: 6.5
fstec
почти 7 лет назад

Уязвимость компонента OAuth Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, позволяющая нарушителю повысить свои привилегии и получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 94%
0.1533
Средний

6.5 Medium

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-601
CWE-601